Panda Security, The Cloud Security Company, has identified malicious apps on Google Play that can sign users up to premium SMS subscription services without their permission. These new threats have been able to infect at least 300,000 users so far, although the number of malicious downloads could have reached 1,200,000.

“Peinados Fáciles” (Easy Hairdos), “Dietas para Reducir el Abdomen” (Abs Diets), “Rutinas Ejercicios para el Gym” (Workout Routines) and “Cupcakes Recetas” (Cupcake Recipes) are among the malicious apps available for download on Google Play.

In the case of “Dietas para Reducir el Abdomen” (Abs Diets), for example, once the app has been installed and the user has accepted the terms and conditions of use of the service, the following happens: Firstly, the app displays a series of tips to reduce abdominal fat. Secondly, and without the user’s knowledge, the app looks for the phone number of the mobile device, connects to a Web page and signs the victim up to a premium SMS subscription service. However, how do fraudsters obtain the phone number of the device? The number is ‘stolen’ from one of the world’s most popular apps: WhatsApp. As soon as the user opens WhatsApp, the malicious app will get the phone number and save it as part of the data it needs to synchronize the account.

According to data from Google Play, this app has been downloaded by between 50,000 and 100,000 users. The other apps work in exactly the same way, so it is safe to say that the four malicious apps may have infected between 300,000 and 1,200,000 users in total.

“The truth is that fraudsters are making insane amounts of money from these premium services. A conservative estimate of, let’s say, €20 paid by each user would result in a huge sum of 6 to 24 million euros stolen from victims”, said Luis Corrons, Technical Director of PandaLabs.

How to Protect Mobile Devices

Regardless of the security solution installed on their devices, users must always read the list of permissions requested by apps before installing them. If an app requires permissions to access the Internet or read SMS messages when there is no need for it, it should not be installed.

The Panda Mobile Security (v1.1) “Privacy Auditor” feature classifies apps with permissions to sign users up for premium SMS services under the “Cost Money” category, from where they can be easily removed.

Panda Mobile Security

“Not every app that is included in that category is malicious. Having said that, any app with permissions to act in the described manner can be considered dangerous. In any event, if the user sees any apps with permissions they should not have, they should remove them immediately”, explained Corrons.

Additionally, these malicious apps have been designed to attack users in Spain, as the service is provided by a Spanish company and they mention mobile carriers operating in Spain such as Movistar, Yoigo, Orange and Vodafone. Also, the price charged to the user will depend on the company they use.

“These apps might stay on Google Play for a long time as, in the end, it is the users themselves who willingly accept the apps’ terms of service, an aspect which might be used by fraudsters as a defense. A defense, in any case, not strong enough to prevent our solution Panda Mobile Security from detecting and removing their creations”, added Corrons.

More info, in PandaLabs Blog.